CUWeb Auth and CUWeb Login 2 0 Identity
CUWeb. Auth and CUWeb. Login 2. 0 Identity Management Team Campus Developers Meeting June 4, 2008
n? C w ut lo ut do R ol Sh s pu am C K 4 C Se U Yo W rv er u A 2 Ar. 0 e P H ro er d e uc tio it rm Pe 2. 0 K 5 A W U C C U W A 2. 0 Al Be ph ta a n om pl et R el e ea se K 5 Migration Project 2008 2009 Dec Jan Feb Mar Apr May Jun Testing Jul Aug Sep Oct Discretionary migration window Nov Dec Jan Feb Buffer Mar Apr May Jun
https: //confluence. cornell. edu/display/CUWAL/Cornell%27 s+CUWeb. Login+Pages
https: //confluence. cornell. edu/display/CUWAL/CUWeb. Auth+2. 0 Documentation
What's New in 2. 0 Kerberos 5 only Open-source GSSAPI Better Security Better Performance Simplified Administration Flexible Authorization Model New POST Data Handling Better Support
Changes for Kerberos 5 Keytabs not Srvtabs Service. ID Self-Service Application n Create your own keytabs n Create your own Service. ID n Delegate authority No More Side. Car No More Legacy CUSSP Library
Open System Documented Standards-based API's Full Source Code Available Localize Porting Customization
Custom Tools Credential Creation & Parsing Permit. G / Grouper lookup
GSSAPI IETF - RFC 2743 C Bindings Java Bindings Wide OS Acceptance
Better Security CUWeb. Login - Kerberos Proxy No Credential Minting Better MITM Attack Prevention
Performance CUWeb. Login 1. 0 n 20 logins/sec per server n Single Server CUWeb. Login 2. 0 n 200+ logins/sec per server n Load Balanced n 4 Servers
Web. Auth Administration Fewer Directives n 26 Directives Obsolete n 5 -6 New Ones Better Logging n Fine Grained n. htaccess Virtual. Host Security Domain
Flexible Authorization (Active Content) New Directives, more than remoteuser… n Allow anonymous access n List group permissions n Pass cuwa-groups to application n How long ago did user login? n Inspect cuwa-auth-time n Pass cuwa-delegated-cred to application
POST Data No More “Click to Continue” POST Data Handled By Web. Auth n Request Data Stays at Website Can Handle Larger POSTs Same Support Apache / IIS
Better Support Apache and IIS – One Code Base 64 -bit clean Thread safe No Name Collisions n Shared Library Compatibility (Unix) Problem with Binary? Rebuilt It! Short List of Binaries Red. Hat, Solaris, Windows Apache 2. 0, 2. 2, IIS 6 Wiki Documentation
Release Schedule Apache Go-Live: Now IIS Go-Live: one month-ish
Q&A Pete Bosanko pb 10@cornell. edu Tom Parker jtp 5@cornell. edu idmgmt@cornell. edu
- Slides: 19